It’s that time of year again: the grills light up, sandals are donned and friends and family get together to enjoy long weekends of summer fun and sun. Retailers take advantage of our increased time off and pent up winter savings to offer new deals that attract customers to their stores. But don’t let your guard down when it comes to making that next big shopping run for the family barbeque. ZeroFOX reports an ongoing and actively spreading social media scam campaign that impersonates US, Canadian and British food retailers by targeting their customers with fake coupons and spoofed domains.

Figure 1A

Figure 1B

Figure 1: A) Example of a 50th anniversary coupon scam as it appears on Facebook. B) After a brief survey, the user is instructed to share and/or like the message themselves on Facebook as a way to perpetuate the content.

We’ve previously performed a deep dive on fake coupon scams circulating on Facebook, and this new breed similarly capitalizes on popular retail brands. The scam tricks the victim by using believable fake events, like 50th anniversaries, and blends in by making claims like only one coupon is eligible per person. Landing on the destination webpage induces a series of network calls to services that fingerprint the victim’s device, retrieve geographical information and track site activity. These are then routed through different digital ad agencies and can be sold off as personally identifying information for cash. As of May 26, the following international food retailer brands have been abused: Loblaw’s, Primark, ShopRite, Shoppers, Tesco, Asda, Lidl, Iceland Foods, SafeWay and Giant Tiger. This specific batch of scams consists of 79 unique URLs that’ve been shared a total of 2,459 times.

The resolved webpages are nearly identical, built from a template. This implies the campaign is run by a single attacker or attacker group. The power of social media is to amplify a single campaign to such an impressive scale.

Figure 2

Figure 2: Similar 50th anniversary scams spread across Twitter late last year.

ZeroFOX protects enterprises and their customers using FoxThreat rules that automatically detect these types of scams when they appear on social networks. Since ZeroFOX Threat Operations has observed these scams exploit other holidays like Mother’s Day and Victoria’s Day (Canada), we wouldn’t be surprised to see similar activity as Memorial Day weekend approaches. We urge social media users to stay vigilant and exert caution when stumbling upon digital coupons and other offers that seem too good to be true or aren’t distributed by officially verified retail accounts.